Cyber Saturday—Doubts Swirl Around Bloomberg’s China Chip Hack Report

In last weekend’s column we discussed Bloomberg Businessweek’srecent, explosive report alleging that Chinese spies had planted surveillance chips on the motherboards of computer servers that ended up inside more than two dozen companies, including Amazon and Apple. Just about all of the parties named in the piece issued strong denials. I urged readers to approach the story with skepticism. “It’s likely there is truth in the piece, but in which parts remains an open question,” I wrote.

A week later, I remain deeply troubled by this story—not because of its substance, but because of its lack of substantiation. It seems a little odd that no one has reported identifying a single one of these spy chips in the wild since Bloomberg’s report appeared, no? Wouldn’t it have been easy for any companies using servers containing components from Supermicro, the company whose products were allegedly backdoored, to send an engineer into a data center, pry open a server, pluck out an offending implant, and reveal China’s alleged subterfuge to the world? Instead, we hear cricket chirps.

While this absence of evidence is not enough to debunk the report, it does raise doubts. Besides, wouldn’t it be easier for spies simply to meddle with Supermicro’s notoriously buggy firmware? This approach would achieve the same results and be far less complicated to pull off logistically. Plus, it would leave no trace.

Further developments related to the report’s publication give me pause. Joe Fitzpatrick, a hardware hacking expert and one of the only named sources in the piece, said he finds the story implausible. The authors have published erroneouscybersecurity reports before. (No one is perfect, but these prior offenses do raise an eyebrow.) Even Rob Joyce, a top National Security Agency official, said he has not found “any ties to the claims that are in the article.” He added: “I worry that we’re chasing shadows right now.”

While we await even the faintest whiff of corroboration, one must acknowledge that this story does not as yet pass the sniff test. For now, I recommend filing the piece under cloak, not dagger.

THREATS

Facebook hack. Facebook said a recent breach of its network affected 30 million users, 20 million fewer than it estimated when it first announced the incident a couple of weeks ago. The company said the breach exposed more intimate personal information than previously thought: things people searched for, places they had “checked into,” demographic, and contact information. Meanwhile, Facebook purged hundreds of accounts it said were spreading misinformation.

Don’t answer the phone. A researcher for Google’s Project Zero team, a group that hunts for bugs and urges companies to fix them, found a flaw in Facebook’s WhatsApp messaging app that could enable an attacker to crash the app simply by tricking someone into answering a video call. Natalie Silvanovich, the researcher, said she discovered and reported the bug in late August. Facebook fixed it by early October. By the way, the company just released Portal, a device that lets you make video calls…

Google minus. Google said it would shutter its social media service, Google Plus, after earlier this year discovering a security vulnerability that could have allowed people to access hundreds of thousands of users’ personal information. The Wall Street Journal originally reported this as a “data breach,” but walked back this labelling after Google said it found no evidence that people’s data were misused. Here is a worthwhile essay that goes over the difference between a breach and a bug, and why such distinctions are important.

An unexpected layover. Federal agents lured a Chinese government spy to Belgium where he was apprehended and transferred to the U.S. He now faces prosecution over economic espionage charges in the states. The accused, Yanjun Xu, a senior officer with China’s Ministry of State Security (MSS), is alleged to have stolen trade secrets from aerospace companies. This is the first time a Chinese government spy has been brought to the U.S. to face charges.

ACCESS GRANTED

The art of crisis negotiation. Here’s a story you don’t read every day: The victim of an online account hijacker managed to talk his ransom-seeking hacker into restoring access to his accounts, free of charge. The victim successfully persuaded his attacker to stand down; he bonded with him, saying he “felt sympathy” for him. Vice Motherboard published the audio of the conversation, which you can listen to here.

Jared Goetz was at dinner when someone used his American Express card to buy a $39,000 web domain. Goetz wasn’t too concerned, he told Motherboard in a phone call: He told the American Express fraud department the transaction wasn’t his, but things rapidly got much worse.

Goetz’s cellphone suddenly lost all service, meaning he couldn’t receive or make any calls or texts, or use any online services. Maybe the e-commerce entrepreneur and business coach had forgotten to pay his T-Mobile bill, he thought. After getting back to the hotel, he found someone had changed his T-Mobile password. Then, he discovered he also couldn’t log into his email, the epicentre of his digital life.

ONE MORE THING

Greyhat hacking. A hacker has been accessing people’s routers in order to patch them, so they cannot be abused by more malicious attackers. The vigilante, who goes by “Alexey,” claims to have changed the settings and add firewall protections on more than 100,000 vulnerable MikroTik routers to date. He has apparently received very few “thank you” notes.